So – I have blogged about how to enable IPv6 on your firewall & setup your tunnel, and how to manually add addresses to an ubuntu server, but what about the server you are sticking on the end of the tunnel permanently – you want it up every reboot.

Most modern distro’s will have IPv6 enabled out of the box & it will do its best to grab an address. I didnt want autoconfiguration to hand any old address to it (even with SLAAC using the MAC address) to this host – so I could properly setup inbound & outbound FW rules.

You can turn it off by entering the following in /etc/sysctl.conf & reboot

My previous IPv6 network was configured with Astaro – recently I have switched vendor to Fortinet (partly troubleshooting, partly cause I could). Using one of their FortiGate FWs – its been “fun” getting all the functions working that I had on the Astaro – one that was a bit more complex was the IPv6 config. It was pretty much point & click GUI driven on the Astaro, its a lot more CLI driven on the FortiGate.

Im using PPPoE without a static IP – so when my IPv4 ISP connection changes address, it will take out my IPv6 Tunnel – I will try to work out how this needs to be fixed later.

First step is to enable IPv6 in the GUI – most of the tunnel config is going to be done on the CLI, but with the GUI enabled, you can at least manage the addresses / policies easily.

config system global

set gui-ipv6 enable

end

Configure up the tunnel – if you are using he.net (tunnelbroker.net), there is a shortcut you can take.

View your Tunnel Details on their admin page, make sure you set the correct “Client IPv4 Address” to match your current PPoE or other connection. Then click on the tab called “Example Configurations” which allows you to simply select your OS & it populates the changes needed with the correct IP addresses. In this case, FortiGate 4.x

config system sit-tunnel

edit “HE”

set destination 64.62.134.130

set ip6 2001:470:66:288::2/64

set source 121.216.247.8

next

end

config router static6

edit 1

set device “HE”

next

end

Once you have pasted that into the CLI on the FG, check the tunnel comes up & finish the config

Configure some FW policies to allow your internal hosts to browse the IPv6 internet (HTTP/HTTPS/PING6/DNS). You can now use the GUI on the FortiGate to configure your new IPv6 FW rules, just remember to use the “IPv6 Policy” menu, not the standard “Policy” page – as that is your IPv4 traffic.

A note on IPv6 DNS & the FortiGate

After some mucking around & frustration, it was clear that the FortiGate was not advertising DNS to stateless autoconfiguration clients. This meant that I had to configure the IPv6 DNS server manually – hardly a great solution (you can use the one from HE).

I found another couple of config items that seems to fix the issue (I added these to my config above)

set ip6-manage-flag enable

set ip6-other-flag enable

Documentation from Fortinet on this is not great, so I dont know the full impact of these, but it seems to do what I want, as long as your IPv4 DNS server is the Fortigate.

As you can see, I only have an IPv4 nameserver (The FortiGate), but both IPv4 & IPv6 DNS entries are happily being resolved.

Well – its official – I am an IPv6 consumer. I have a public facing IPv6 web & smtp server – and I have passed the requirements of the Hurricane Electric (he.net) IPv6 certification program to the SAGE level – http://ipv6.he.net/certification/

I already had IPv6 through Freenet6 – as I detailed in my previous IPv6 post here so I began the IPv6 certification program, and ran through the first few basic levels.

I can reach the site with IPv6- Check

he.net can reach my IPv6 website – Check

he.net can send me email (had to stand up postfix for this one) – Check

This got me to the Administrator level – anyone with IPv6 connectivity can easily get here – simply have a reachable IPv6 website & mail server.

This is where the fun came in. To get to the next level (Professional) – I needed a working reverse DNS entry for my mailserver. Now while this sounds simple – freenet6 doesnt appear to provide an easy way to configure reverse DNS entries for the IPv6 range they provide you – bummer.

I had exhausted my energy trying to setup reverse DNS with Freenet6, so off to Hurricane Electric I went – seemed a logical choice considering I was doing their certification anyway. Signup was simple & within minutes I had a new IPv6 allocation. They initially allocate a single /64 – but once you have enabled your connection – you can request a /48 – which of course I did.

So – now that I have a new allocation, here is how I configured it on my network.

Minutes later, the /64 range on your tunnelbroker.net account page should appear in the global tab.

A couple of tests later & I confirmed I could ping IPv6 addresses from my Astaro box (example here using the ns2.he.net nameserver address)

I decided to use the inital /64 I was allocated as the range for my Internal hosts, and then break up the /48 into subnets for other zones.

By far the easiest way to use IPv6 is let the “Stateless Auto Configuration” work its magic. It doesnt require DHCP, allows hosts to automatically find the router & get an address – pretty much works as it says on the box.

Simply add an IPv6 address to the FW interface you want to run IPv6 on, then advertise the subnet out.

Suddenly your internal hosts will be getting IPv6 addresses & will be EXTERNALLY REACHABLE <— This is important. Make sure you setup your firewall rules, host protection etc etc. I will not cover this step, but you need to ensure you understand that as soon as your box has an IPv6 address – it is publically routable from the outside world.

Repeat the addition of an IPv6 address (from another /64 subnet – broken up out of your /48 you requested from tunnelbroker.net) to the DMZ interface(s). I am not enabling the “Stateless Auto Configuration” on my DMZ segments, I am just manually assigning addresses to the couple of boxes in there.

Right – that covers the move to Hurricane Electric & how to re-address the internal & DMZ segments.

Next steps are re-addressing my public web & smtp server, updating the DNS forward & reverse zone entries – and what is needed to complete the rest of the certification.

So – I decided it was finally time to finish implementing & document my IPv6 config – mainly so I remember how I did it, but also to help others on their IPv6 journey to the interwebs

High Level:

– Get a IPv6 subnet (duh) – This will depend on your scenario, several ISP’s offer native IPv6 (Internode) – mine does not (Telstra Bigpond).
– Configure a router / firewall / host with IPv6 address from your subnet
– Configure an IPv6 DNS address on that device to resolve AAAA records
– Bask in the IPv6ness of the interwebs – it looks eerily like the IPv4ness of the interwebs.

Ok, before we move on with turning the IPv6 up – you need to plan out a couple of things.

– Your IPv6 address is PUBLIC – it is reachable from the outside world, consider the consequences & firewall appropriately, also turn off NAT for IPv6 if your FW supports it – it will be a PITA when testing with your web browser & getting a different IPv6 address than you expect.

– IPv6 Subnetting – depending on the provider, you will be allocated something like a /56 subnet (4722366482869645213696 host IP’s — SERIOUSLY)

I broke my /56 up into /64 subnets for each zone (INSIDE / DMZ1 / DMZ2 / DARKNET) – still giving me 256 subnets containing 18446744073709551616 host addresses each …. I dont think im going to run out of addresses any time soon.

I could have broken em up into /96 subnets, giving me 1099511627776 subnets with 4294967296 (4 billion) hosts in each …. but really, when we are talking numbers like this, its just academic – use whatever fits your network design. I figured that im not going to ever need 256 subnets or more, so I just broke it up there, and /64 is a nice subnet mask boundry.

Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique “cookie” identifying your system.

As a result, RFC3041 introduces “privacy enhanced” addresses which will change and are created by hashing the MAC address.

*NOTE: Default behaviour of Windows XP & Server 2003 does not use the randomization*

What this means from an administration perspective is that after every reboot, the IPv6 address that is presented to the network changes ….. which makes things like DNS / FW rules etc a nightmare to manage in a corporate / enterprise scenario where you really need to be able to have a stable addressing scheme.

I have a /52 IPv6 subnet through a tunnel broker. My border firewall terminates the tunnel & advertises the subnet on the inside interface for autoconfiguration (without having to configure DHCP)

So, lets break it down.

I get a /52 subnet, which is advertised to my internal machines.

aaaa:bbbb:cccc:dddd::/56

In normal configuration, by default in Windows 7 – it generates a randomized Link-local address (not based on the MAC)

Excellent – we have a global / routable IPv6 address based on the host’s link local address which I can now use.

However, Windows isnt done yet, it also assigns a Temporary IPv6 address – which is used when accessing network resources. This Temporary address is only kept for a set period, and changes when the machine reboots – and here is the problem. How can I configure a firewall rule for this host to reach an external resource ?

Excellent – we have a global / routable IPv6 address based on the host’s link local address which I can now use.

A note on the addressing – In this addressing mode, the 64-bit interface identifier is derived from its 48-bit MAC address. A MAC address 00:1D:BA:06:37:64 is turned into a 64-bit EUI-64 by inserting FF:FE in the middle: 00:1D:BA:FF:FE:06:37:64. As I “only” have a /52 assigned to me the whole MAC is not used, but the address is based on the last 5 octets.

me

otherblogs

podcasts

Hak5 – security podcast
Put together by a band of IT ninjas, security professionals and hardcore gamers, Hak5 isn’t your typical tech show. We take on hacking in the old-school sense, covering everything from network security, open source and forensics, to DIY modding and the ho